NATO Summit Updates Cyber Defence Policy

NATO Heads of State and Government endorsed an enhanced NATO Cyber Defence Policy at the NATO Summit in Wales on 4-5 September 2014.

The Heads of State and Government of NATO member countries met in Newport, Wales, on 4-5 September 2014. Among other topics, they endorsed the Enhanced Cyber Defence Policy, which had already been approved by the defence ministers in Brussels on 3-4 June 2014. A synopsis of the Policy is provided by the Summit Declaration.1

According to the Policy, NATO recognises that international law applies to cyberspace, and that cyber defence is part of NATO’s core task of collective defence. Therefore, Article 5 of the North Atlantic Treaty on collective self-defence can be invoked in case of a cyber attack with effects comparable to those of a conventional armed attack.2 Jamie Shea, Deputy Assistant Secretary General for Emerging Security Challenges at NATO Headquarters, said that the Policy does not set any detailed criteria for the activation of Article 5, which would have to be decided by the Allies on a case-by-case basis.3

The Summit Declaration underlines NATO’s fundamental responsibility for defending its own systems, while nations are expected to defend theirs. NATO will continue to integrate cyber defence into operations and planning and to enhance information sharing and situational awareness. NATO also intends to engage actively on cyber issues with international organisations, in particular with the EU.4

An earlier Estonian Defence Forces proposal to use its cyber range as the Alliance’s main cyber defence training field5 had been approved in June by NATO’s Supreme Allied Commander Transformation.6 This is reflected in the Summit Declaration which refers to ‘building, as a first step, on the Estonian cyber range capability, while taking into consideration the capabilities and requirements of the NATO CIS School and other NATO training and education bodies’ in developing the NATO cyber range capability.4

The Summit Declaration also mentions the cooperation of NATO with industry through the newly formed NATO Industry Cyber Partnership. The Partnership was launched on 17 September 2014 at the NIAS Cyber Security Symposium in Mons, Belgium. The Partnership is expected to ‘improve cyber security in NATO’s defence supply chain’, to ‘contribute to the Alliance’s efforts in cyber defence education, training and exercises’, and generally to improve mutual information sharing.7